<html>
<head><meta charset="utf-8"><title>safe low-level string mutations · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html">safe low-level string mutations</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="147640893"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147640893" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147640893">(Nov 14 2018 at 02:20)</a>:</h4>
<p>Here is a fun case study:<a href="https://doc.rust-lang.org/std/primitive.str.html#method.make_ascii_uppercase" target="_blank" title="https://doc.rust-lang.org/std/primitive.str.html#method.make_ascii_uppercase">https://doc.rust-lang.org/std/primitive.str.html#method.make_ascii_uppercase</a></p>



<a name="147640902"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147640902" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147640902">(Nov 14 2018 at 02:21)</a>:</h4>
<p>clicking <code>[src]</code> reveals:</p>



<a name="147640905"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147640905" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147640905">(Nov 14 2018 at 02:21)</a>:</h4>
<div class="codehilite"><pre><span></span>    pub fn make_ascii_uppercase(&amp;mut self) {
        let me = unsafe { self.as_bytes_mut() };
        me.make_ascii_uppercase()
    }
</pre></div>



<a name="147640961"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147640961" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147640961">(Nov 14 2018 at 02:22)</a>:</h4>
<p>challenge: provide an safe API that accomplishes the <code>unsafe { self.as_bytes_mut() };</code> here, but requires no other changes!</p>



<a name="147640973"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147640973" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147640973">(Nov 14 2018 at 02:23)</a>:</h4>
<p>potential inspiration: <a href="https://www.reddit.com/r/rust/comments/9wcujb/mutguard_run_code_every_time_data_is_mutably/" target="_blank" title="https://www.reddit.com/r/rust/comments/9wcujb/mutguard_run_code_every_time_data_is_mutably/">https://www.reddit.com/r/rust/comments/9wcujb/mutguard_run_code_every_time_data_is_mutably/</a></p>



<a name="147641049"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641049" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641049">(Nov 14 2018 at 02:25)</a>:</h4>
<p>I am wondering about abstractions that temporarily allow data to enter an unsafe state (the <code>String</code> UTF-8 invariant seems like something of an unusual case for <code>unsafe</code>)</p>



<a name="147641057"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641057" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641057">(Nov 14 2018 at 02:25)</a>:</h4>
<p>not sure that's actually a good idea</p>



<a name="147641116"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641116" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641116">(Nov 14 2018 at 02:26)</a>:</h4>
<p>it would require an unwind safe invariant check and cleanup strategy that's guaranteed to run 100% of the time barring other unsafe interactions, I think</p>



<a name="147641158"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641158" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641158">(Nov 14 2018 at 02:27)</a>:</h4>
<p>you could imagine a "safe" <code>MutGuard</code> permitting <code>as_bytes_mut</code>-style access to the interior of a string that, upon detecting the mutated contents of a string are not valid UTF-8, would e.g. clear the string or otherwise return it to a valid UTF-8 state, and then panic</p>



<a name="147641232"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641232" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641232">(Nov 14 2018 at 02:29)</a>:</h4>
<p>the risk to me is that <code>String</code> crossing something like an unwind boundary, getting mutated, and somehow the <code>MutGuard</code> doesn't run and its contents are now no longer valid UTF-8</p>



<a name="147641286"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641286" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641286">(Nov 14 2018 at 02:30)</a>:</h4>
<p>at the very least the <code>MutGuard</code> needs to <code>catch_unwind</code> when exposing the mutable byte slice interior</p>



<a name="147641312"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641312" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641312">(Nov 14 2018 at 02:31)</a>:</h4>
<p>I'll say right away a leaky "safe" abstraction is probably worse than just using <code>unsafe</code></p>



<a name="147641321"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147641321" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147641321">(Nov 14 2018 at 02:31)</a>:</h4>
<p>so the question is can there be a non-leaky <code>MutGuard</code> for enforcing something like the UTF-8 invariant on <code>String</code> interiors</p>



<a name="147643112"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147643112" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147643112">(Nov 14 2018 at 03:19)</a>:</h4>
<p>Yeah this is just the thread-scoped problem. Make the user execute inside a closure so you can construct MutGuard without ever giving it to the user, so you can be sure it doesn't get leaked.</p>



<a name="147643569"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147643569" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147643569">(Nov 14 2018 at 03:33)</a>:</h4>
<p>I describe the exact problem here: <a href="https://doc.rust-lang.org/nightly/nomicon/leaking.html#threadscopedjoinguard" target="_blank" title="https://doc.rust-lang.org/nightly/nomicon/leaking.html#threadscopedjoinguard">https://doc.rust-lang.org/nightly/nomicon/leaking.html#threadscopedjoinguard</a></p>



<a name="147643613"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147643613" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147643613">(Nov 14 2018 at 03:34)</a>:</h4>
<p>and you can see the fix here: <a href="https://docs.rs/crossbeam/0.3.0/crossbeam/struct.Scope.html#examples" target="_blank" title="https://docs.rs/crossbeam/0.3.0/crossbeam/struct.Scope.html#examples">https://docs.rs/crossbeam/0.3.0/crossbeam/struct.Scope.html#examples</a></p>



<a name="147643668"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147643668" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147643668">(Nov 14 2018 at 03:36)</a>:</h4>
<p>remark that crossbeam::scope requires you to run inside a closure. this is because it basically creates a Vec&lt;JoinGuard&gt; that you can't touch. the <code>scope</code> argument your closure gets is basically <code>&amp;mut Vec&lt;JoinGuard&gt;</code> wrapped up so you can only push</p>



<a name="147645756"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147645756" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147645756">(Nov 14 2018 at 04:37)</a>:</h4>
<p>fun reading there <span class="user-mention" data-user-id="137587">@Gankro</span></p>



<a name="147699573"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699573" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699573">(Nov 14 2018 at 21:10)</a>:</h4>
<p>I've lately been thinking about this problem</p>



<a name="147699581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699581">(Nov 14 2018 at 21:10)</a>:</h4>
<p>e.g., there is an unsafe composition danger even in the closure solution</p>



<a name="147699605"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699605" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699605">(Nov 14 2018 at 21:11)</a>:</h4>
<p>described in <a href="http://smallcultfollowing.com/babysteps/blog/2016/10/02/observational-equivalence-and-unsafe-code/" target="_blank" title="http://smallcultfollowing.com/babysteps/blog/2016/10/02/observational-equivalence-and-unsafe-code/">this blog post of mine on Observational Equivalence</a></p>



<a name="147699614"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699614" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699614">(Nov 14 2018 at 21:11)</a>:</h4>
<p>the tl;dr is that a coroutine library could 'leak' your stack frames</p>



<a name="147699627"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699627" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699627">(Nov 14 2018 at 21:11)</a>:</h4>
<p>so basically rayon + crossbeam are relying on stack frames being destructed</p>



<a name="147699692"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699692" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699692">(Nov 14 2018 at 21:12)</a>:</h4>
<p>this is kind of the same problem as the <code>&amp;mut</code> borrow problem that I talk about in <a href="http://smallcultfollowing.com/babysteps/blog/2018/11/10/after-nll-moving-from-borrowed-data-and-the-sentinel-pattern/" target="_blank" title="http://smallcultfollowing.com/babysteps/blog/2018/11/10/after-nll-moving-from-borrowed-data-and-the-sentinel-pattern/">my most recent blog post on the sentinel pattern</a></p>



<a name="147699699"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699699" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699699">(Nov 14 2018 at 21:12)</a>:</h4>
<p>in particular, if you were to allow a move out from an <code>&amp;mut</code>,</p>



<a name="147699740"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699740" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699740">(Nov 14 2018 at 21:13)</a>:</h4>
<p>the danger is that -- in the event of panic -- that <code>&amp;mut</code> may be referencing some value V where the owner will either:</p>
<ul>
<li>observe it during unwinding (via a <code>Drop</code> impl)</li>
<li>outlive the unwind (because of <code>catch_panic</code>, a mutex, etc)</li>
</ul>



<a name="147699749"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699749" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699749">(Nov 14 2018 at 21:13)</a>:</h4>
<p>the goal with the <code>take_mut</code> crate is to make those things impossible</p>



<a name="147699756"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699756" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699756">(Nov 14 2018 at 21:13)</a>:</h4>
<p>but it's again assuming some kind of "absolute owner" -- the process</p>



<a name="147699838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699838">(Nov 14 2018 at 21:14)</a>:</h4>
<p>I think the debate about whether one could reasonably have an <code>&amp;mut</code> that references things outside the process basically comes down to the same question in a way: how "high up" in the ownership hierarchy can we reasonable assert control from inside our rust program?</p>



<a name="147699869"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699869" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699869">(Nov 14 2018 at 21:15)</a>:</h4>
<p>in short, if you want to ensure that some event X occurs, you need to have some kind of "ownership" over the "lifecycle" of all the things that lead up to X</p>



<a name="147699883"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147699883" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147699883">(Nov 14 2018 at 21:15)</a>:</h4>
<p>anyway, I'm not 100% sure where these thoughts are going, but there is something tantalizing there</p>



<a name="147707505"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147707505" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Tony Arcieri <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147707505">(Nov 14 2018 at 23:24)</a>:</h4>
<p>yeah, wasn't actually recommending the closure solution, just wondering if it could be done in a non-leaky way. and it sounds like that isn't the case</p>



<a name="147726224"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147726224" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147726224">(Nov 15 2018 at 07:40)</a>:</h4>
<blockquote>
<p>but it's again assuming some kind of "absolute owner" -- the process</p>
</blockquote>
<p>Very losely related: We currently actually have a safe function (on unix) that makes it pretty much impossible to use even ownership (not to speak of borrows) for things outside the current process: Thanks to <code>before_exec</code>, we have <code>fork</code> in safe code. See <a href="https://github.com/rust-lang/rust/issues/39575" target="_blank" title="https://github.com/rust-lang/rust/issues/39575">#39575</a>.</p>



<a name="147726239"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147726239" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147726239">(Nov 15 2018 at 07:41)</a>:</h4>
<p>I am trying to convince alex to make it <code>unsafe</code>, so far unsuccessfully^^</p>



<a name="147757574"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147757574" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147757574">(Nov 15 2018 at 17:17)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> interesting. Ugh.</p>



<a name="147757938"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147757938" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147757938">(Nov 15 2018 at 17:23)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> seems like we should open some kind of issue about this in the UCG repository — I feel like this topic of "cross-process ownership and references" is worth talking out</p>



<a name="147757942"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147757942" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nikomatsakis <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147757942">(Nov 15 2018 at 17:23)</a>:</h4>
<p>thoughts?</p>



<a name="147758296"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147758296" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147758296">(Nov 15 2018 at 17:28)</a>:</h4>
<p>Sure. I explained my position in that issue already (maybe a bit too vehemently^^)</p>



<a name="147791800"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147791800" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147791800">(Nov 16 2018 at 03:02)</a>:</h4>
<blockquote>
<p>cross-process ownership and references</p>
</blockquote>
<p>Sounds relevant to the <code>mmap</code> family of things, as well.</p>



<a name="147816191"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147816191" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147816191">(Nov 16 2018 at 13:23)</a>:</h4>
<p><span class="user-mention" data-user-id="116155">@Jake Goulding</span> mmap very bluntly says "this is unsafe, it can't be made safe" and leaves it at that</p>



<a name="147816222"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147816222" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Gankra <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147816222">(Nov 16 2018 at 13:23)</a>:</h4>
<p>because anyone can truncate the file being pointed into, and there's literally no non-racey way to detect it</p>



<a name="147819847"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe%20low-level%20string%20mutations/near/147819847" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/safe.20low-level.20string.20mutations.html#147819847">(Nov 16 2018 at 14:28)</a>:</h4>
<p>right, which is why "cross-process ownership" seemed relevant, but perhaps it's still too broad</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>